Amazon Product Advertising API Signature - PHP

After August 15, 2009 in order to use Amazon's Product Advertising API a timestamp and signature must be included with each request made to Amazon.com. Information concerning this requirement can be accessed at Amazon's Product Advertising API Version 2009-03-31. While searching for additional information about generating the signature string. I found two helpful websites which feature PHP code for this purpose!

Amazon® AWS HMAC signed request using PHP

REST Authentication for PHP4

In order to get a better understanding of how Amazon's signature authentication process worked. I decided to hack together some basic PHP code which adds both the timestamp and signature to the Amazon API request. Unlike the code available from the above websites. I decided to see if I could generate the signed request string without using arrays. The following code appears to works ok when using PHP5. Please note that you will need an "AWSAccessKeyId" and a "Secret Access Key" to create the signed Amazon request URL. The "XML" link included in the code allows you to view Amazon's raw XML data. If you don't want the link to show simply comment it out. Same with the print_r ($XML) funtion which allows for viewing the data after it has been parsed by PHP5's simplexml_load_file () function.

The following code pretty much follows Amazon's example under "Example REST Requests". The code generates a Timestamp using the gmdate() function. The colons in the Timestamp are urlencoded using the str_replace() function. Comas in the ResponseGroup are also urlencoded using str_replace(). I manually sorted the order of the "parameter/value pairs" in the $String as shown in the Amazon example. Which states that they should be arranged "by byte value (not alphabetically, lowercase parameters will be listed after uppercase ones)". Line breaks in the $String are included to make arraigning the parameter/value pairs easier. The line breaks in the $String are then removed using str_replace(). Line breaks (/n) are added to the $Prepend string. $Prepend and $String are combined into one string and use base64_encode(hash_hmac( )) and the Secret Access Key to create the Amazon request signature. The $Signature string is then urlencoded for plus (+) and equal (=) using str_replace(). The $SignedRequest is created simply by combining the different pieces of the request URL and adding the Signature.

<?
$AWSAccessKeyId = "";
$SecretAccessKey = "";

$ItemId = "0679722769"; // ASIN
$Timestamp = gmdate("Y-m-d\TH:i:s\Z"); 
$Timestamp = str_replace(":", "%3A", $Timestamp);
$ResponseGroup = "ItemAttributes,Offers,Images,Reviews";
$ResponseGroup = str_replace(",", "%2C", $ResponseGroup);

$String = "AWSAccessKeyId=$AWSAccessKeyId&
ItemId=$ItemId&
Operation=ItemLookup&
ResponseGroup=$ResponseGroup&
Service=AWSECommerceService&
Timestamp=$Timestamp&
Version=2009-01-06";

$String = str_replace("\n", "", $String); 

$Prepend = "GET\nwebservices.amazon.com\n/onca/xml\n";
$PrependString = $Prepend . $String;

$Signature = base64_encode(hash_hmac("sha256", $PrependString, $SecretAccessKey, True));  
$Signature = str_replace("+", "%2B", $Signature);
$Signature = str_replace("=", "%3D", $Signature);

$BaseUrl = "http://webservices.amazon.com/onca/xml?";
$SignedRequest = $BaseUrl . $String . "&Signature=" . $Signature;

$XML = simplexml_load_file($SignedRequest);

echo '<a href="'.$SignedRequest.'">XML</a><p>';
print_r ($XML);
?>

PHP:

 

Thank you, informative.

 

interesting, I think I could combine it with other affiliate script...

and tophotdeals awesome. wanna guide me to build that with wp?

 

Thanks, this is nice. I used the code you linked to above which really simplified things, though yours is even shorter. I think I am right in saying that yours would only work with PHP5 because earlier versions of PHP don't include support for sha256, which is needed for this.

 

actually Amazon® AWS HMAC signed request using PHP uses the sha256 also

// calculate HMAC with SHA256 and base64-encoding
$signature = base64_encode(hash_hmac("sha256", $string_to_sign, $private_key, True));

the second link uses:
The code requires a library called sha256.inc.php

it should be easy to upgrade to php5 and use the included sha256 function.

 

It appears that PHP4 with the mhash function enabled will support sha256. See Dan Casey's post at:

http://php.filearena.net/manual/kr/function.sha1.php

I don't have access to testing wth PHP4 however substituting

$Signature= base64_encode(mhash(MHASH_SHA256, $PrependString, $SecretAccessKey));

PHP:

for

$Signature = base64_encode(hash_hmac("sha256", $PrependString, $SecretAccessKey, True));

PHP:

works ok for me using PHP 5.2.9! If someone would test the above using PHP4 with mhash enabled the results might be interesting?

For reference on the mhash function see:

http://us3.php.net/manual/en/function.mhash.php

"If specified, the function will return the resulting HMAC instead. HMAC is keyed hashing for message authentication, or simply a message digest that depends on the specified key."

 

Forgot to mention in my last post that since simplexml_load_file() is a PHP5 funtion that you may need to delete or comment out that line. To check if the signature is correct simply click the XML link and view the "Signature" Argument Name. This assumes that the raw XML feed is returned with your call to Amazon. Should look like the following:

<Argument Name="Signature" Value="WnWjr28mfoCu1FWOLqDAEDl9NYcN13v/oEqXwUQIQEw=" />

Code (markup):

Also please be aware that print_r ($XML); no longer displays the parsed XML!

 

I get the following error when I run the URL generated by this script:

<?xml version="1.0" ?> 
- <ItemLookupErrorResponse xmlns="http://ecs.amazonaws.com/doc/2009-01-06/">
- <Error>
  <Code>SignatureDoesNotMatch</Code> 
  <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message> 
  </Error>
  <RequestID>4c5c9d3d-6f65-4acd-bd45-a0155faaf3d4</RequestID> 
  </ItemLookupErrorResponse>

Code (markup):

I am 100% positive that my Access Key and Secret Key are correct. My server is running PHP5.

Any ideas?

 

I am getting the same error to :/

 

My problem is with the signature. if I remove the signature, the request works properly.

Both base64_encode and hash_hmac appear to be working properly.

 

Try using the following (same code) which should copy and paste properly.

<?
$AWSAccessKeyId = "";
$SecretAccessKey = "";

$ItemId = "0679722769"; // ASIN
$Timestamp = gmdate("Y-m-d\TH:i:s\Z"); 
$Timestamp = str_replace(":", "%3A", $Timestamp);
$ResponseGroup = "ItemAttributes,Offers,Images,Reviews";
$ResponseGroup = str_replace(",", "%2C", $ResponseGroup);

$String = "AWSAccessKeyId=$AWSAccessKeyId&
ItemId=$ItemId&
Operation=ItemLookup&
ResponseGroup=$ResponseGroup&
Service=AWSECommerceService&
Timestamp=$Timestamp&
Version=2009-01-06";

$String = str_replace("\n", "", $String); 

$Prepend = "GET\nwebservices.amazon.com\n/onca/xml\n";
$PrependString = $Prepend . $String;

$Signature = base64_encode(hash_hmac("sha256", $PrependString, $SecretAccessKey, True));  
$Signature = str_replace("+", "%2B", $Signature);
$Signature = str_replace("=", "%3D", $Signature);

$BaseUrl = "http://webservices.amazon.com/onca/xml?";
$SignedRequest = $BaseUrl . $String . "&Signature=" . $Signature;

$XML = simplexml_load_file($SignedRequest);

echo '<a href="'.$SignedRequest.'">XML</a><p>';
print_r ($XML);
?>

Code (markup):

Also make sure that the following is on 1 line.

$Signature = base64_encode(hash_hmac("sha256", $PrependString, $SecretAccessKey, True));

Code (markup):

If that doesn't help echo the $SignedRequest URL and check to see if it looks like the following with your "AWSAccessKeyId" and "Signature" included. As soon as time allows I will create a webpage showing each step of the process.

http://webservices.amazon.com/onca/xml?AWSAccessKeyId=YOURACCESSKEY&ItemId=0679722769&Operation=ItemLookup&ResponseGroup=ItemAttributes%2COffers%2CImages%2CReviews&Service=AWSECommerceService&Timestamp=2009-06-21T17%3A15%3A28Z&Version=2009-01-06&Signature=Ifp9yz/9El%2B3jNPYy8lqkOJdj%2Bl/OyIVwrIXxP/XOAM%3D

Code (markup):

I also found that without an attached signature the Amazon API request would be processed.

 

Hi myhart

I tested it. Same results.

The URL looks correct. Everything looks like it should work, but it doesn't. I tested both base64_encode and hash_hmac. Both appear to be working, so I don't think it is a problem with encoding on my server.

I am also getting a strange error from SimpleXML.

 

Hi TechEvangelist,
I was able to duplicate the message that SimpleXML returns to you by adding a space at the end of

ResponseGroup=$ResponseGroup&

Code (markup):

By commenting out

$String = str_replace("\n", "", $String);

Code (markup):

I also created the same message.

You might try the script with the $String all on one line as I suspect an extra space in the string somewhere?

$String = "AWSAccessKeyId=$AWSAccessKeyId&ItemId=$ItemId&Operation=ItemLookup&ResponseGroup=$ResponseGroup&Service=AWSECommerceService&Timestamp=$Timestamp&Version=2009-01-06";

Code (markup):

 

After doing some reading about removing line breaks. I wonder if we also need to remove "Carriage Returns" from the $String? I suppose this may vary from server to server???

$String = str_replace("\r", "", $String);

Code (markup):

 

If we use preg_replace instead of str_replace we can strip all "carriage returns", "line breaks" and "spaces" from the $String.

$String = preg_replace('/[\r\n\" "]/', '', $String);

Code (markup):

 

I think you have pegged the problem.

The returns in the final request URL appear to be causing the problem. I was just looking at the URL in the address bar, which looked correct. I should have looked at the code being generated. The strange error messages were adding to the confusion.

$String = preg_replace('/[\r\n\" "]/', '', $String);

Code (markup):

That did it. You need to strip out both the returns and the newlines. You da man!

Every Amazon affiliate who is following this thread needs to give this guy some green.

 

I personally use ASP.NET

 

Just a quick note to say thanks for this.

Works perfectly for me across both Amazon US and Amazon UK sites [for the UK, I changed the $Preprend to point to amazon.co.uk]. Personally, I created the request string without the line breaks and because the site I'm using creates fairly complicated Amazon requests dynamically and I can't always create the string in the new Amazon sort order, I added a split(), asort() and implode() sequence to the $String to sort the Amazon operations into the correct order before I sign it.

 

Glad you found the above helpful! Once we have a basic working example of adding the API signature to our Amazon product request. It really doesn't seem all that hard to do. I have been working to overcome the issues you mentioned "both Amazon US and Amazon UK sites" and "site I'm using creates fairly complicated Amazon requests dynamically". For the second issue I am also using asort() and implode(). Though sounds like I may have taken a somewhat different approach as I explode() the request URL twice. I have tested the following code with Freekrai's ASM2 . Which seems to be working fine. I will post how to add the Amazon Product signature to ASM2 as soon as I get time. As to the first issue the code shown below will automatically create the signed request URL for both Amazon US and UK sites.

$Request = old request URL
$SignedRequest = new signed request URL
Be sure to add your $SecretAccessKey!

$String = preg_replace('/[\r\n\" "]/', '', str_replace(",", "%2C", $Request));
$SecretAccessKey = "";
$Timestamp = str_replace(":", "%3A",  gmdate("Y-m-d\TH:i:s\Z"));
$StringArray = explode( '?', $String);
$ValueStringArray = explode("&", $StringArray[1]);
$ValueStringArray[] = "Timestamp=".$Timestamp;       
asort($ValueStringArray);
$NewString = implode("&", $ValueStringArray);
$url = parse_url($StringArray[0]);
$Prepend = "GET\n" .$url['host']. "\n" .$url['path']. "\n";
$PrependString = $Prepend . $NewString;
$Signature = base64_encode(hash_hmac("sha256", $PrependString, $SecretAccessKey, True));
$Signature = str_replace("+", "%2B", str_replace("=", "%3D", $Signature));
$SignedRequest = $StringArray[0]. "?" . $NewString . "&Signature=" . $Signature;

Code (markup):

 

Now unpractised But for a store of knowledge beforehand thanks